Saturday, 2 January 2010

Like or dislike, we have leaved the year 2009 behind and we encounter the new year 2010. So many things we have done in the last year. It could be good or bad thing. For the good thing, We hope that we could reach it again in the new year 2010 or even we could exceed it to be better than the previous year. For the bad thing, we have to leave it and do not repeat it in this year. With this ideal condition, we wish that this year would bring more success, luck and health for all of us. May GOD bless us forever.

Following the fast development of IT, computer crime becomes a complex crime with the use of high technology, so that it is not easy for forensic investigators to analyse this crime, even to trace back the perpetrators. The criminals can utilise the internet or intranet in order to commit this crime by exploiting vulnerabilities which might exist in the network, or even in the target’s machine. By doing this, they can intrude the network and then hijack the target computers. They make these computers become botnet (i.e. robot network), so that they can get fully control on these machines, moreover they can order it to attack a server in order to make it down by applying DDos (Distributed Denial of Service) attack. When a target computer can be compromised, the criminals can get fully access on it. They can obtain much information stored on this computer either confidential or normal. If the information is confidential, so they can use it for their illegal benefits such as selling it to the victim’s competitors or making identity fraud. If the information stolen is bank account or credit/debit card, so they can use it to purchase any stuff from the internet (i.e. it is called carding) or make money transfer. If the information obtained by the criminals is email account, so they can hijack it by changing the password and then send many fully wrong emails on behalf of the victim to anybody or any institutes. The receivers assume that the emails come from the victim. As long as the receivers have not known the actual condition yet, the criminals can persuade them to do something which is able to give bad impact to the target. There are many disadvantages occurred when a computer crime is committed.

From the description above, computer crime is a serious crime which requires more attention of law enforcement agencies. If it cannot be handled properly, so the perpetrators cannot be arrested by police, or even they can be released by the court when the evidence is not sufficient to support the case. Based on this reason, the digital forensic analyst is expected to be able to handle this crime properly. It means that the analyst should be able to provide strong evidence which can be used to prove the relationship between the case and the perpetrators. If this can be performed correctly, so it can be guaranteed that the case can be solved successfully. To provide strong evidence, the analyst should have good background on computer science and practical IT; and then they should be well understood on how a computer crime can occur. With this knowledge, they can investigate the case comprehensively, so that they will be able to obtain the fact of the case properly. The evidence supporting the involvement of the perpetrators can be provided perfectly by the analyst/investigators in order to bring them to the jail.

To reach this goal, the analyst should perform comprehensive digital forensic investigation by applying reliable investigative techniques as well as digital forensic procedures and applications. In dealing with this, the analyst should understand well about digital forensic principles. On this journal, it will explain the basic principles of Association of Chief Police Officers (ACPO) which must be applied by digital forensic analyst. These principles are also adopted by Digital Forensic Analyst Team (DFAT) of Forensic Laboratory Centre of Indonesian National Police (INP).
ACPO Basic Principles on Digital Forensic

To understand how to do seizure correctly, firstly the analyst should be able to understand digital forensic principles. According to ACPO in the UK, there are four principles which must be implemented in digital forensic investigation. Below are such principles (ACPO, p8, 2008).

Handling the evidence found in the case of computer crime or computer-related crime is different from handling other evidence such as blood, tool marks, trace, and fibres. The evidence found at such crimes is grouped as computer-based electronic evidence. As the evidence from this type of crime is easy to volatile, digital forensic analyst should be able to understand how to handle it properly. With proper handling, it is expected that the analyst could reveal the contents of the evidence and bring it to further investigation. With proper ways, the findings in the evidence are also reliable and even it can be accepted by the court, otherwise it will be doubt and even rejected by the court.

Based on this fact, as to handle such evidence is so essential, the analyst must pay more attention when finding it at the crime scene. To handle it is started from seizure; therefore the seizure technique plays a key role on handling it properly. From the seizure at the crime scene, chain of custody of the evidence is also started. Chain of custody is a comprehensive description about the travelling of the evidence from the crime scene to the court. Who firstly found it at the crime scene; and then who handles it in further investigation actions till who submits it to the court. It also describes who does what on the evidence. However this journal does not discuss about chain of custody, but it will explain about how to perform proper seizure on computer-based electronic evidence.

Computer-based Electronic Evidence

The evidence which is found in the case of computer crime or computer-related crime and requires digital forensic analysis is grouped as computer-based electronic evidence. This evidence is actually physical evidence as it is visually seen. Digital forensic analyst and criminal investigators should seek the existence of this evidence type at crime scene. After finding it, they perform a proper seizure on it.

The findings in the form of data or information stored in the evidence are called digital evidence. This digital evidence is then required to be found and analysed by digital forensic analyst as it can prove the relationship between the case and the perpetrators.

There are two conditions related to the seizure of computer-based electronic evidence. Both conditions should be understood correctly by the analyst or the investigators, so that they can perform seizure properly. Below are the conditions.

In this journal, the image file is a dd file which is obtained from the acquisition process previously. After checking the hash value of the dd image file which must be identical with the evidence of storage media, the dd is then analysed in the following further actions.

Method: Physical analysis with the use of Autopsy

Autopsy is graphical interface form of The Sleuthkit (TST) created by Brian Carrier. TST is designed to be used in command lines on terminal, while Autopsy is a browser for running TST. As Autopsy is a browser, it provides an ease for digital forensic analyst to investigate the evidence. Both applications are reliable for forensic analysis like other commercial applications such as EnCase and Forensic Toolkit (FTK) running under Ms Windows OS. TST and Autopsy are used to analyse the file system of evidence in a non-intrusive way. As it does not rely on the operating system to examine the file system, it can show the deleted and hidden contents.

According to the author as described in the Synaptic Package Manager, it allows the analyst to examine the layout of disks and other media. It supports DOS partitions, BSD partitions (disk labels), Mac partitions, and Sun slices (Volume Table of Contents). With these tools, the analyst can identify where partitions are located and extract them so that they can be analysed with file system analysis tools. It provides case management, image integrity, keyword searching, and other automated operations for investigative purposes.

As explained in the Synaptic, autopsy starts the Autopsy Forensic Browser server on port 9999 and accepts connections from the localhost. If the -p port is given, then the server opens the port and if address is given, then connections are only accepted from that host. When the -i argument is given, then autopsy goes into live analysis mode.

There are four consecutive steps related to physical analysis, namely:

About Me

I have been working for Indonesian Police Forensic Laboratory Centre (Puslabfor Bareskrim Polri) since 1997. My current job is the Chief of Computer Forensic Sub-Department. I have core duties to handle digital forensic investigation and analysis on electronic and digital evidence. I am the pioneer of developing computer forensic capabilities at Puslabfor Bareskrim Polri which was started in around 2000. Last year, in 2012 I and my team successfully investigated and analyzed 488 items of evidence which came from 81 cases of computer crime and computer-related crime.
In 2012 I wrote a book with the title "Digital Forensic: Practical Guidelines for Forensic Investigation". Its contents is mostly from knowledge and science I got from joining the MSc in Forensic Informatics at the University of Strathclyde, in the UK in 2008/2009 through the Chevening Scholarships. In 2010, the British Council in Indonesia gave me a prestigious award as one of "The Super Six UK Alumni".